EDIT: the above is not good enough. Apparently we need to disable cgroup v1 and only use v2 (memory controller can't be mounted to both), though this would break Docker it seems, which relies on cgroups v1.